The biggest Copilot risk is not the AI. It is the pre-existing oversharing in your tenant. If you have not audited SharePoint permissions in years, Copilot will expose to your employees ALL documents they have access to, including the ones they should not.
The oversharing problem
Real case: financial sector client. 12 years of SharePoint on-premise migrated to Online. Inherited permissions from nested groups that nobody has reviewed since 2017. A user with "Read" access on a compensation site asks Copilot "how much does the CEO earn?". Copilot returns the document. Incident reported to the regulator.
The minimum before activating Copilot
- Permission audit: PowerShell with PnP to detect sites with "All users" or "Everyone except external users" in unintended access.
- Sensitivity labels: at least 4 levels defined (Public, Internal, Confidential, Highly Confidential) with auto-classification where possible.
- Configure Copilot to NOT return content labeled "Highly Confidential" without explicit permission.
- SharePoint Advanced Management: enable restricted domain access, expiring share links, quarterly site access reviews.
Microsoft Purview essentials
Purview is not optional with Copilot. You need: Information Protection (labels), Data Loss Prevention (rules), Insider Risk Management (behavioral signals), Audit (log retention). Without this, Copilot operates in an environment with no safety net.
14+ years leading enterprise digital transformation projects in LATAM and Europe. Founder of TIKAL SOLUTIONS.
Ready for your next project?
Let's talk 20 minutes about your challenge. No commitment.
Keep reading
File server to SharePoint migration: 2026 playbook
Step-by-step guide with the strategy, tools and pitfalls we learned in 8 massive migrations for enterprise clients.
Microsoft 365 Copilot: what it can (and cannot) do by role
Practical guide by role — Sales, HR, Marketing, IT, Finance — to understand where Copilot adds real value from day one and where it still fails.
GitHub Copilot in enterprise teams: adoption, DORA metrics and governance
What we learned deploying GitHub Copilot Business in teams of 50-300 developers. Real metrics, usage policy, AI code review.